Legislation & Regulation

There is legislation and regulation where BCM is concerned, be it to a certain extent. On the one hand, this allows more freedom to organise BCM as desired, but on the other it leads to insecurities. BCM is required indirectly. It is difficult to determine or to have determined when measures are of sufficient quality. Management and boards will, however, be held liable for certain if continuity plans are lacking or not handled. The Personal Data Protection Act, current Corporate Governance codes, DNB regulation, but also Best Practices in ICT (like ITIL and the Data Protection Code) are causing an increasing liability.Enterprises, not listed on the Stock Exchange, governments and NGO’s will also be having the responsibility to comply with these obligations in the future.

Personal Data Protection Act (WBP), 2001
Section 13 demands that “The responsible party shall implement appropriate technical and organisational measures to secure personal data against loss or against any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, and having regard to the risks associated with the processing and the nature of the data to be protected. These measures shall also aim at preventing unnecessary collection and further processing of personal data.” The WBP does not indicate any guidelines for BCM. Protection against loss might be reached by taking ICT technical measures, like back up and recovery. However, the WBP is only about personal data. All other data important to the organisation are left out of consideration.
Sarbanes-Oxley (SOx) Act, 2004
For Stock Exchange listed enterprises, American legislation imposes rules in order to enforce sound business management This legislation is special as a general management is threatened to be imprisoned or fined if these conditions of sound business management are not met. In this scope, the Dutch Prosecution, for the first time, demanded an imprisonment for the former directors of Ahold in 2006. In section 404 rules are set for the internal auditing and financial reporting. The management is obligated to make an explicit statement each year on the reliability of the internal auditing used within the company. The CEO and CFO have to make a statement that the auditing is watertight and, besides doing his usual financial reporting, the accountant has to add an explicit statement of agreeing to the CEO and CFO statements.

The Tabaksblat Code
The Tabaksblat Code is a so-called ‘principle-based system’ (contrary to the ‘rule based system’ of Sox). On the basis of section 2:391, paragraph 4, by Order in Council, this recommendation has been lawfully implemented by indicating the Dutch corporate governance code as code of conduct, to which Stock Exchange listed companies should refer in their annual report and whereby these companies should indicate to what extent they have complied with the code requirements. This legal provision was introduced as of the fiscal year 2004. The advantage of a ’principle based system’ is that principles are more difficult to get round than rules are. The disadvantage is that it lacks ‘teeth’. The code includes some explicit reference to continuity: “The management board and board of directors are entirely responsible for these interests, generally aimed at the company continuity.”
(preamble)

Assessment Framework Business Continuity Planning (BCP) by The Netherlands Bank (DNB)
In advance of the ‘High-level principles of business continuity, published by the Basel Committee in December 2005, the DNB drew up the assessment framework BCP by the end of 2004. This has been established in cooperation and consultation with the financial key infrastructure companies. The BCP assessment framework is a recommendation made for the Dutch financial key infrastructure of payment and securities settlement systems, offering a number of BCP principles for companies taking part in the key infrastructure of payment and securities settlement systems, thus raising the sector’s business continuity planning (BCP) and crisis management (CMT) level. As a framework these standards are fully applicable outside the financial sector as well.

The 10 BCM principles from the DNB Assessment Framework:

  1. Every organisation must have a Business Continuity Plan, agreed to by the board and senior management, in which the strategy, goals and critical business processes are determined and where adequate continuity measures are documented. In all cases the security of people should be eminent. At least once a year the plan should be updated.
  2. Every organisation should have made a risk analysis of probable calamities and their impact on essential systems and processes.
  3. In the Business Continuity plan it must be made clear how the human factor is taken into account. Without people the resumption of business activities or ICT processes is not possible.
  4. Every organisation must have a crisis organisation that can take action in emergency situations. This is to be managed by the board and senior management.
  5. Every organisation has made an analysis on how they depend on basic facilities, like electricity, telecom and water. Organisations often depend on a number of external providers, making single points of failure more probable.
  6. The essential business processes and systems must be resumed as soon as possible after a calamity.
  7. Every organisation must be able, depending on the risk profile, to relocate to an alternative centre at a sufficient distance from the main site.
  8. The relocation of procedures and systems should be tested regularly.
  9. Every organisation must have a communication plan, by which all stakeholders can be informed as adequately as possible.
  10. For the industry as a whole a business continuity plan should be made. This is a joint responsibility of the key infrastructure in which DNB takes the lead.